Stream packet sniffer to Wireshark

Start a promiscuous capture with filter "udp port 37008"

Setup Mikrotik Packet Sniffer to stream to your IP address

Setup system emailer

I have noticed that in RouterOS v2, the emailer uses the system identity as the HELO/EHLO host name. Some mail servers won't accept a host name with spaces or other characters. RouterOS v3 doesn't seem to be effected by this.

Best Effort Queuing with Global-In and Guaranteed Queuing on outbound with two ISPs and connection tracking

queue-root-global-in deals with traffic coming from the internet to the router and catches traffic that is bound for the router itself as well as traffic that will be forwarded through to NAT clients. There is a subqueue for each isp.

queue-root-isp1 deals with the outbound traffic to isp1 from the router as well as NAT clients behind the router.

queue-root-isp2 deals with the outbound traffic to isp2 from the router as well as NAT clients behind the router.

The traffic that is handled in these last two queues is marked by the mark-traffic mangle chain. The packet marks are generic to the type of traffic (bulk, priority, voice) because the root queues are connected to specific interfaces.

The traffic that is handled in the global-in queue is marked by rules in the prerouting chain. The packets marks are specific to the interface that the traffic came in on (isp1-bulk, isp2-bulk, etc) because the root queue is not connected to a specific interface but to global-in, which is an aggregate of ALL incoming packets on ALL interfaces.

Once this is done, we need to be notified somehow. This is done with a script that runs every X minutes. The script sends a single email for each address listed. Add addresses to the smtp-possible-spammers list for 10 minutes (or more) and run this scripts every 5 minutes.

An alternate method is to allow outbound SMTP only from a specified list of IP's. The rules below allow outbound SMTP from addresses on the list smtp-allowed-outbound, and logs all other tries to smtp-possible-spammers followed by the drop.

Web proxy blocking IP based URLs

I had a customer today tell me that their Barracuda web filter is the only device they've found to date that can do IP based URL blocking. He said he knows Fortinet and Sonicwall can't do it, and Palo Alto said they might be able to. The proxy access rule below for the Mikrotik does just that:

Writing files in RouterOS

While you can fetch and read the contents of any file, you are limited to working with 4096 character files as this is a limitation on the amount of information that can be contained in a string variable in RouterOS at this time.

When creating new files in RouterOS via terminal the extension .txt will be appended to anything that doesn’t already have .txt at the end.

You can work with newlines \n\r as delimeters (which is super helpful when downloading something list of IP addresses from somewhere)

The basic commands for working with a file, using variables in place of static content or file names:
1. To create a new file
/file print file=$filename
2. To read an existing file
:set $filedata [/file get $filename contents]
3. To write to an existing file
/file set $filename contents=$newdata
4. To append to an existing file
/file set $filename contents=([get $filename contents] . $newdata)